- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 10 Feb 2014 15:05:16 +0100
- To: Mike West <mkwst@google.com>
- Cc: David Bruant <bruant.d@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
On Mon, Feb 10, 2014 at 1:40 PM, Mike West <mkwst@google.com> wrote: > Hrm. I can see that. "none-when-insecure" was meant to refer to the > transport mechanism only, but I agree with you that it's potentially > confusing. I think another problem is also that this value basically means a full Referer header, unless you go from https to http. So in an insecure context, such HTTP without TLS, you would not use none, but full. "url-unless-downgrade" might make more sense given that description? Another nit, just "origin" (rather than "origin-always") and "unsafe-url" to align with "none". Or "none-always", but shorter seems better. > My only concern with "default" is that it might end up meaning > different things to different browsers (see > https://groups.google.com/d/msg/mozilla.dev.privacy/wmPzPCdzIU8/KGJ401Dj9lYJ > for example). It would be nice to have a name that reflected explicit > functionality as opposed to implicitly falling back on UA behavior. I don't > have a good suggestion other than what I've already suggested. I'd > appreciate suggestions from the group... When we talked about this at Mozilla Brian at least wanted to be able to experiment with exposing less than done currently. I haven't really made up my mind personally as to whether that would make privacy better, but it does seem like something that the user should have control over and a browser should be able to have a conservative policy for. -- http://annevankesteren.nl/
Received on Monday, 10 February 2014 14:05:49 UTC